experiences with paste-monitoring - owasp benelux day 2016
Post on 01-Jan-2017
217 Views
Preview:
TRANSCRIPT
Experiences with Paste-MonitoringOWASP BeNeLux Day 2016
Michael Hamm - TLP:WHITE
info@circl.lu
17.-18. March 2016;Esch-Belval, Luxembourg
• The Computer Incident Response Center Luxembourg (CIRCL) is agovernment-driven initiative designed to provide a systematicresponse facility to computer security threats and incidents.
• CIRCL is the CERT for the private sector, communes andnon-governmental entities in Luxembourg.
2 of 38
CERT point of view
• Help◦ Acts like a fire brigade◦ Take all reported incidents serious◦ Help: triage, analysis and response◦ Help: technical investigation◦ Reliable and trusted point of contact◦ No duty to report to the police◦ Victim’s duty to file a complaint
• Prevent incidents◦ Early detection◦ Proactive security
3 of 38
CERT services/tools
• Malware Information Sharing Platform - MISP◦ https://www.circl.lu/services/
misp-malware-information-sharing-platform/
• URL Abuse Testing◦ https://www.circl.lu/services/urlabuse/
• Dynamic Malware Analysis Platform - DMA◦ https://www.circl.lu/services/dynamic-malware-analysis/
• Paste Monitoring & Analysis of Information Leaks Framework -AIL◦ https://github.com/CIRCL/pystemon◦ https://github.com/CIRCL/AIL-framework
4 of 38
Paste Monitoring
• Example: http://pastebin.com/
◦ Store text online, easy sharing◦ Used by programmers◦ Source code & configuration information
• Abused by attackers to store:◦ Exploit code◦ Results of running malicious code◦ D0x◦ List of open proxys◦ Anouncements OP...◦ –>Examples: #OpAlQeeq #OpIsrael #OpSaveGaza
5 of 38
Paste Monitoring: General examples
6 of 38
Paste Monitoring: General examples
7 of 38
Paste Monitoring
• Results of running malicious code◦ Results of port- and vulnerability scans◦ Lists with vulnerable sites◦ Lists with compromised sites◦ Database dumps◦ Credit Card details◦ Leaked 3rd party credentials
8 of 38
Paste Monitoring: General examples
9 of 38
Paste Monitoring
• Statistics◦ Monitoring up to 30 sources◦ Average 1.800.000 pastes/month◦ >100 keywords (constituency)◦ Leads to 5.250 tickets/month◦ Leads to 35 incidents/month◦ Leads to 140 investigation/month◦ Average 7 investigations/day◦ One investgation: 5 minutes - 1 hours
• Challanges◦ Unstructured data
10 of 38
CIRCL #219393 List of URLs
http://www.gasxxxx.com//images/jdownloads/screenshots/spy.gifhttp://burytoxxxx.co.uk//images/jdownloads/screenshots/spy.gifhttp://sheriasxxxx.coop//images/jdownloads/screenshots/spy.gifhttp://www.exxxx.org//images/jdownloads/screenshots/spy.gifhttp://www.bexxxx.com//images/jdownloads/screenshots/spy.gifhttp://south-xxxx.com//images/jdownloads/screenshots/spy.gifhttp://ixxx.org//images/jdownloads/screenshots/spy.gifhttp://www.exxxx.com.au//images/jdownloads/screenshots/spy.gifhttp://www.alphamxxxxxxxxxx.co.za//images/jdownloads/screenshots/spy.gifhttp://www.tablemxxxxxxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.dubairealdxxxxxxxxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.world-xxxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.nepalmxxxxxxxxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.proxxx.xxx.gov.ph//images/jdownloads/screenshots/spy.gifhttp://www.ajxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.fcfmixxxxxx.com//images/jdownloads/screenshots/spy.gifhttp://mdxxxx.org//images/jdownloads/screenshots/spy.gifhttp://www.lsxxxx.com//images/jdownloads/screenshots/spy.gifhttp://pxxxx.com//images/jdownloads/screenshots/spy.gifhttp://www.contxxxxx.net//images/jdownloads/screenshots/spy.gifhttp://info.farmixxxxxx.fi//images/jdownloads/screenshots/spy.gifhttp://www.flxx.be//images/jdownloads/screenshots/spy.gifhttp://www.solidxxxx.at//images/jdownloads/screenshots/spy.gifhttp://www.xxxx.xtc.br//images/jdownloads/screenshots/spy.gifhttp://www.fexxxxx.at//images/jdownloads/screenshots/spy.gifhttp://ontarioxxxxxxxxxx.ca//images/jdownloads/screenshots/spy.gif
11 of 38
CIRCL #219393 What is behind this URLs?http://www.pxxxxx.xxx.gov.ph//images/jdownloads/screenshots/spy.gifhttp://www.xxxxx.gov.zm//images/jdownloads/screenshots/spy.gifhttp://www.xxx.gov.zm//images/jdownloads/screenshots/spy.gifhttp://www.xxxxx.gov.zm//images/jdownloads/screenshots/spy.gifhttp://www.xxxxxxxxxxx.gov.it//images/jdownloads/screenshots/spy.gifhttp://www.xxxxxxxxxxx.gov.uk//images/jdownloads/screenshots/spy.gifhttp://www.goxxxxxxxxxx.gov.it//images/jdownloads/screenshots/spy.gif
12 of 38
CIRCL #223483 What is behind this URLs?
13 of 38
CIRCL #223483 Defacements
14 of 38
Results of running malicious code
• How can we help?◦ Report to the website owner (constituency)◦ –>Give advices to them◦ Report to other CERTs
• What we can not do?◦ Contact all website owners outside our constituency
15 of 38
CIRCL #215347 The posting
Target = cpluxxxxxxxxxx.comzul.xxxxx@ymail.com:5a9ac42d67ab0f139848bb0404355051e0dc6fcd10a22e2caziyanxxxx@yahoo.com:46fe7a6944f6f2bfcebfdef6f06850d94eec1dc02b7722504xxxxx@teclait.com:092cb6b0a6fb718f20f7704b41173ed52e938432f34a6f389bscxxxxx@yahoo.com:d93999a44413a63f2dd4e176a349728a23f73aac492a69fccyoxxxxx@yahoo.com:e1171a55671a08ec2350902199ba774f82e95f34efe762616yoogesxxxxx@yahoo.com:451a40fb63d53411f86f4f49b21cc468b058c59a4d41f2fe2yixxxxxx@upei.ca:614a858c8643cf7e307fd634364f7d6c235f96837c49d0bd4yinguxxxxx@ou.edu:e85962e3ee35e3f90fb356485c8ebe5b9ec042bac77f1c190ygxxxxxx@gmail.com:80674b810fc53e53e048f6aacc3c055ddeb349998b9fc5b1ayemioyxxxxx@yahoo.com:80a0a943d1f509925c7c5552842b4624c2b8effa0d2ec1791yanninxxxxx@hotmail.com:c18d74cdda28c86615474636d20e2dc5c0b6f2605d570717ayanghxxxxx@gmail.com:bd4cccf43e5eeee42ec13879f9b0dfd3c5f519658638f3f90yahya.xxxxx@gmail.com:e61a87f807ec0e2d3f936a7cec7cb5dca8291060ddd212b4bbendehbia.xxxxxx@hotmail.fr:65324f3ad8e3e85a51740787cf1d1d4bba5c0b84e130e7c60write2sxxxxxxxxxx@gmail.com:20404051a1d5e96aa0f3a038bd15ce8854b8bbc9b67c2883cwmsxxxxx@comcast.net:334780689a0ff89ee1034e909bb0bb0bfb4fd732afd7658cfwincyxxx@hotmail.com:681505cf1cb3907277a081c34c1b72df800d0279d48804e38jacktxxxxx@yahoo.com:51d94e5885764f3aec7058ba3f28107bcf49c5e79401c3fd6whitegxxxxxxx@yahoo.com:79918c71701ab71bae7d700d67fd286d21b2f9c3ec513b7e1whitegxxxxxxx@gmail.com:bc3950cf307a9bc54f103a7ed5275bf724b485c6f1b406bdd
16 of 38
Leaked 3rd party credentials
• How can we help?◦ Report to the ISPs (constituency)◦ –>Advice victims to change this password◦ –>Change it everywhere◦ Report to the targeted website owner◦ Report to other CERTs
What to avoid to report?◦ Re-postings◦ Old passwords◦ Issues that are already fixed◦ Unknow targeted site◦ Encrypted passwords◦ –>We can give no advices
17 of 38
CIRCL #215347 The posting
Target = cpluxxxxxxxxxx.comzul.xxxxx@ymail.com:5a9ac42d67ab0f139848bb0404355051e0dc6fcd10a22e2caziyanxxxx@yahoo.com:46fe7a6944f6f2bfcebfdef6f06850d94eec1dc02b7722504xxxxx@teclait.com:092cb6b0a6fb718f20f7704b41173ed52e938432f34a6f389bscxxxxx@yahoo.com:d93999a44413a63f2dd4e176a349728a23f73aac492a69fccyoxxxxx@yahoo.com:e1171a55671a08ec2350902199ba774f82e95f34efe762616yoogesxxxxx@yahoo.com:451a40fb63d53411f86f4f49b21cc468b058c59a4d41f2fe2yixxxxxx@upei.ca:614a858c8643cf7e307fd634364f7d6c235f96837c49d0bd4yinguxxxxx@ou.edu:e85962e3ee35e3f90fb356485c8ebe5b9ec042bac77f1c190ygxxxxxx@gmail.com:80674b810fc53e53e048f6aacc3c055ddeb349998b9fc5b1ayemioyxxxxx@yahoo.com:80a0a943d1f509925c7c5552842b4624c2b8effa0d2ec1791yanninxxxxx@hotmail.com:c18d74cdda28c86615474636d20e2dc5c0b6f2605d570717ayanghxxxxx@gmail.com:bd4cccf43e5eeee42ec13879f9b0dfd3c5f519658638f3f90yahya.xxxxx@gmail.com:e61a87f807ec0e2d3f936a7cec7cb5dca8291060ddd212b4bbendehbia.xxxxxx@hotmail.fr:65324f3ad8e3e85a51740787cf1d1d4bba5c0b84e130e7c60write2sxxxxxxxxxx@gmail.com:20404051a1d5e96aa0f3a038bd15ce8854b8bbc9b67c2883cwmsxxxxx@comcast.net:334780689a0ff89ee1034e909bb0bb0bfb4fd732afd7658cfwincyxxx@hotmail.com:681505cf1cb3907277a081c34c1b72df800d0279d48804e38jacktxxxxx@yahoo.com:51d94e5885764f3aec7058ba3f28107bcf49c5e79401c3fd6whitegxxxxxxx@yahoo.com:79918c71701ab71bae7d700d67fd286d21b2f9c3ec513b7e1whitegxxxxxxx@gmail.com:bc3950cf307a9bc54f103a7ed5275bf724b485c6f1b406bdd
18 of 38
CIRCL #215347 Analysis Stage 1
• What do we get◦ Email addresses : encrypted passwords◦ Bingo: Target site is quoted
Review the site:
19 of 38
CIRCL #215424 The posting
SEC EMAIL ADDRESS.csvEMAIL ADDRESS,ENCRYPT PWD,FIRSTNAMEkente@prairiexxxxxxxx.us,74364AD466A3A97E4D1F7E90490FAE13,Kentdiann@westxxxxxxxx.com,354FA3FB52AAEDAE860431979286EDF0,Diannklpetxxx@mixxxxxxxx.edu,67357C6CDE1E652C250A75D3764208D8,Kevinjjamxx@dxxxxx.com,B8AAFA55304D218D9EB11FEE6ADED315,Jimxxxxhambrick@exxxxxx.com,788F54A6D2CA11FA21A3DEE3F85D3BC9,Jimxxnope@chxxxxx.net,558EFB24130D85DA042B45CFD2EA94A8,Judithmargexxxxxxxk@txx.com,AFBF5EEDB77DE36B8B559F5F896CDEB6,Margeganderxxx@dataxxxxxxx.com,9D9D1E968BC9BA76E5F8D8E8AE4B9CCA,Giselabexx@primaryxxxxxxxx.com,22FF6D707D7319F1A0AF8543503D5BC5,Albertmoniquexxxxxxx@ixxx.com,48ABE46CC4C64E840061EC8F65C0AFDD,Moniquedeedeexxxxxxxx@cxxxxxxxxxxsparks.com,D2AEB85EA85A812D06B849F787074587,Dee deexxxlmer@deyoxxxxxx.com,3C7AB6E445E176DD48D4B954FAB1FB31,Johannaxxxxxxxxxxxwilson@hotmail.com,359FCF260D068B42AE7CED3B8C91FD7C,Heathermhamxxxx@xxxxview.org,A1926ADE8BAE523F9A0990613992065E,Markrebecca.xxxxxxxxxxx@xx.org,6E1DCB3D49E345DAF44A418E7515480B,Rebeccamarshallxxxxxxx@vxxx.com,E6CE602050FEF4B62AEBD637CE356B47,Marshallawaxxxxx@hotmail.com,6590B4DC32FE183748680EC7E75D5FE3,Andrew
...//
20 of 38
CIRCL #215424 Analysis Stage 1
• Review the posting to gather aditional information
• Unfortunatly already suspended
21 of 38
CIRCL #215424 Analysis Stage 1
• Ask Google
• Leads to 1 hit at kickasspastes.com
22 of 38
CIRCL #215424 Search for ”*****s.gov leak”
23 of 38
CIRCL #215424 Analyze the set
wc -l fc9VnYLt.txt
◦ 7103
grep -i "\.mil\," fc9VnYLt.txt
◦ 1
grep -i "\.gov\," fc9VnYLt.txt
◦ 175
grep -i "\.gov\," fc9VnYLt.txt |cut -f1 -d"," |cut -f2-d"@" |sort |uniq -c |sort -n
◦ 1 ******hs.gov◦ 1 *****a.gov◦ 3 ***.gov◦ 170 *****s.gov
24 of 38
CIRCL #219989 Posting already suspended
wc -l BvMacKhC.txt
–>5728
grep -i "\.mil\:" BvMacKhC.txt
–>34
grep -i "\.gov\:" BvMacKhC.txt
–>43
Google search for one of the leaked MD5 value
–>Leads to 1 hit in Google Cache
25 of 38
CIRCL #219989 From Google cache”
26 of 38
CIRCL #219989 Validate the finding
grep -i altrx BvMacKhC.txt
angela.xxxxxxx@altrxxxxxxx.com:10D56F79CD9DA6496A8627455006FFchris.xxxx@altrxxxxxxx.com:01E16299BC2ADD4679111FCF0E13A8dan.xxxxxx@altrxxxxxxx.com:19104E6A08A4DD4C579CFCD8AB7249dimitrios.xxxxxxxx@altrxxxxxxx:00A4AB56F3F68987E34360DE4B8498
whois altryyyyyyyyyyy.com
Registrant Organization: Altrx Indxxxxxxx xxxxxx...
whois altrxxxxxxx.com
Admin Organization: Altrx Indxxxxxxx xxxxxx...
27 of 38
CIRCL #215558 pastebin.com/hbjc03Yw
• Grep for ”.mil\:”◦ ryan.xxxxxx@xxxxxxxxx.af.mil:chronic◦ Patrick.xxxxxx@xxxxxxxxxxx.af.mil:patrick◦ 48fwxxx@xxxxxxxxxx.af.mil:chapel◦ phillip.xxxxx@xxxxxxxxx.af.mil:allen
• Grep for ”.gov\:”◦ kerrixxxx@xxxx.xxi.gov:kerri
• Grep for ”.gov”
1. Leads to 98 hits mainly gov.uk2. 1x .gov.ie3. 1x .gov.za
28 of 38
CIRCL #215558 Password Frequency Analysis
...
...20 password22 arsenal22 daniel24 george26 joshua29 charlie30 matthew38 12345643 11143 liverpool121 snooker
29 of 38
CIRCL #215558 Analysis Stage 2
• What do we know◦ Related: co.uk◦ Related: Snooker
• How to find targeted site?
Google search for: ”site:co.uk snooker login”–>Unfortunately no helpful results
• What can we do
1. Go back to the data set2. Grep for ”snooker”
–>BINGO
30 of 38
CIRCL #210401 The posting
31 of 38
CIRCL #210401 Analysis Stage 1
• What do we got◦ Date◦ Email addresses |passwords◦ –> Leaked 3rd party credentials◦ Obviously many .BR accounts
• What do we miss◦ Usefull information in the header◦ Target details in the posting
• What can we do
1. Search for interesting accounts2. Identify targeted site3. Notify our partners in BR
32 of 38
CIRCL #210401 Analysis Stage 2
Search for interesting accounts
graziani.xxxx@xxxx.mar.mil.br—Aprovada
agendaxxxxx@xxxxxxx.rs.gov.br—240202CLAUDIAxxxxxx@xxxxx.GOV.BR—9395hellenxxxxxx@xxxxxxx.se.gov.br—33917841Ocea@xxxxxxxxx.gov.br—180283escolaxxxxxx@xxxxxxxx.mg.gov.br—171151nelxxx@xxxxxx.gov.br—np201356maicxxx@xxxx.rs.gov.br—061188......26 gov.br users
33 of 38
CIRCL #210401 Analysis Stage 3
Find target: By analyzing the leaked Passwords?
cut -f2 -d"|" qzQF6ib5.txt |sort |uniq -c |sort -n
4 0102034 123456784 hospital5 1234567896 123456 gabriel7 medicina8 1238 compras8 telediu13 123479 123456
34 of 38
CIRCL #210401 Analysis Stage 3
Find target: By analyzing the leaked Passwords?
cut grep -i teledi qzQF6ib5.txt
...8x telediu...vanessxxxxxxx@gmail.com—Telediu84cluciaxxxxxxx@hotmail.com—telediltarsisxxxxxxx@hotmail.com—telediu71amarilxxxxxxx@gmail.com—rodtelediuheldexxxxxxxx@yahoo.com.br—telediu11andrexxxxxxxx@yahoo.com.br—telediu150
dentxxxxxxx@telexxxxxxxxxx—233748pthainapegxxxxxxx@telexxxxxxx—74697649
35 of 38
AIL
• Monitoring Module: Input feeds
• Analysis Module: Deduplication, Indexing, Classification
• Output Module: ZMQ, Redis
36 of 38
AIL
37 of 38
Conclusion
• There are no small incidents
• Want access to services: info@circl.lu
• –>search for past issues?
38 of 38
top related